renattach 1.2.4 - Filter that renames/deletes dangerous email attachments
Copyright (C) 2003-2006 Jem E. Berkes
Web site: http://www.sysdesign.ca/
Program page: http://www.pc-tools.net/unix/renattach/
Email contact: support@pc-tools.net
As per the GNU GPL, there is no warranty for this software.
The author makes no guarantees as to software performance or
effectiveness. renattach is NOT a virus scanner. Filtering
is based on MIME headers and detectable filenames; as such,
the software tries to handle both correct structures and
incorrectly formatted messages. This filter will not catch
all dangerous emails, particularly attachments embedded inside
attachments.
************************************************************************
WARNING:
THIS SOFTWARE HAS BEEN DISCONTINUED. IT IS NO LONGER MAINTAINED.
************************************************************************
The author recommends that you do not depend upon renattach to
filter emails for dangerous content. As of 2006, renattach used
on its own is not enough to filter potentially harmful emails.
Dangerous attachments, or other attacks, may pass through the
filter undetected. Please switch from renattach to some other
actively developed security system.
Jem E. Berkes
2006-03-19
************************************************************************
renattach is a fast and efficient UNIX stream filter that can rename or
delete potentially dangerous e-mail attachments. The filter is invoked
as a simple pipe for use in a wide variety of systems. The 'kill' feature
(which eliminates entire messages) can also help sites deal with resource
strains caused by modern virus floods.
renattach is written in pure C and can quickly process mail with little
overhead. Unlike a conventional virus scanner, there are no specific virus
or worm definitions. Instead, renattach identifies potentially dangerous
attachments based on file extension and executable encoded body content.
The software is even capable of reading filenames from inside ZIP archives
on the fly, without requiring any external software. The self-contained
MIME code parses, fully interprets, then rewrites the header of every
attached file. During this process it checks the file's extension against
a list, and further checks to make sure the filename is not on a banned
list. Only after passing through these steps is the MIME header written
fresh using a predetermined, known format.
The program's operation is simple: a single mail message is read from
stdin, filtered, then written to stdout (or piped to an external command).
Tested under Linux, FreeBSD, Solaris, Mac OS X, and Cygwin. This software
should compile on any UNIX-like system that has standard C libraries.
FEATURES
--------
* Fast, lightweight, little overhead
* Recognizes both MIME and uuencoded attachments
* Compliant with RFC2047 and RFC2231, handles encoded filenames
* Capable of reading filenames inside ZIP archives, on the fly
* Can rename or delete attachments, or kill entire messages
* Can detect executables that carry DOS/Windows signature
* Supports list of banned filenames (great for handling floods)
* Simple pipe/stream operation; can be used within many filtering systems
* Can be installed directly as a content_filter for Postfix MTA
* Can be installed as a local delivery agent for Sendmail MTA
renattach looks for its configuration file (renattach.conf) in the path
specified at compile time. Alternatively, you can specify the location of
renattach.conf by using the -c command-line options. For example:
renattach -c renattach.conf
COMMAND USAGE
-------------
Note that the filter's default behaviour is to rename dangerous attachments
that match the badlist {mode=badlist, action=rename}. If searching inside
ZIP archives for filenames (see the search_zip configuration option), the
only actions that modify the ZIP files are delete and kill but NOT rename.
Therefore the default rename action has no effect on ZIP files; instead, use
the --delete or --kill options. Alternatively, append the /d and /k switches
to badlist extensions in the .conf file to selectively delete or kill some
file types while just renaming the rest.
(See man page for more detail on some of these command-line options)
Usage: renattach [OPTIONS]
-a, --all
Filter mode: Match all attachments.
-b, --badlist
Filter mode: Only match filenames that have extensions listed on the
bad-list. This will match only attachments with known dangerous file
extensions (default).
-c, --config filename
Use the specified configuration file. Run renattach with --settings
to verify current settings.
-d, --delete
Filter action: Delete attachment body after renaming headers.
-e, --excode
Extend exitcodes: 77=filtering occurred. This is in addition to the
default codes: 0=success, 75=temporary failure, 255=critical failure
-g, --goodlist
Filter mode: Match all attachments except those that have extensions
listed on the goodlist.
-h, --help
Show help, explain options.
-k, --kill
Filter action: Kill (absorb) entire email.
-l, --loop
Remove Delivered-To headers to prevent malicious mail forwarding loop.
-p, --pipe command [args]
Instead of writing output to stdout, open pipe to command (with args)
and send output there. This program must return with exit code 0.
This must be the last option on the command line.
-r, --rename
Filter action: Rename matching attachments (default).
-s, --settings
Show current settings/configuration and terminate.
-v, --verbose
Write verbose output (including settings) to stderr.
-V, --version
Display software version and terminate.
CONF FILE
---------
renattach reads its configuration options from renattach.conf, in your
$sysconfdir. There are defaults for all options but you will probably want
to tweak the configuration for your needs. The example configuration file
renattach.conf.ex fully describes all supported configuration directives
(in conf/ and copied to $sysconfdir by install).
Configuration directives are also described in the man page.
# Drop mail carrying executable attachments (DOS/Windows exec signature)
delete_exe = no
kill_exe = yes
# Search for filenames inside ZIP files
search_zip = yes
# Log filtered mail (delete, kill) to syslog mail facility
use_syslog = yes
# Delete winmail (MS proprietary) attachments without modifying Subject,
# also drop emails containing annoying scanner-generated warning bounces
banned_files = /winmail/d, /warn.txt/k, DELETED0.TXT/k
subj_banned = #
subj_deleted = [deleted attachment]
subj_renamed = [renamed attachment]
# When these file types are encountered, rename the attachment (assuming
# filter is invoked with default action=rename). However, kill mail containing
# any BAT, COM, etc. attachments even if they are inside ZIP files. There is
# risk of collateral damage. EML//d means delete ZIPs that contain EML.
badlist = ADE, ADP, BAS, BAT/k, CHM, CMD/k, COM/k, CPL/k, CRT, EML//d, EXE/k
badlist = HLP, HTA/k, HTM, HTML, INF, INS, ISP, JS, JSE, LNK, MDB
badlist = MDE, MSC, MSH, MSI, MSP, MST, NWS, OCX, PCD, PIF/k, REG/k
badlist = SCR/k, SCT, SHB, SHS, URL, VB, VBE, VBS/k, WSC, WSF, WSH